Security Experts:

Connect with us

Hi, what are you looking for?



Ukrainian Suspected of Leading Carbanak Gang Arrested in Spain

A Ukrainian national suspected of being the leader of a gang that used Carbanak malware to steal a significant amount of money from banks worldwide has been arrested in Spain, Europol and the Spanish government announced on Monday.

A Ukrainian national suspected of being the leader of a gang that used Carbanak malware to steal a significant amount of money from banks worldwide has been arrested in Spain, Europol and the Spanish government announced on Monday.

According to authorities, the man is believed to be the mastermind of an operation that resulted in losses totaling over €1 billion ($1.24 billion). The hackers targeted over 100 financial organizations in more than 40 countries around the world, stealing up to €10 million ($12.4 million) in a single heist.

The suspect was arrested in Alicante, Spain, following an investigation conducted by the Spanish National Police and supported by Europol, private cybersecurity firms, and law enforcement agencies in the United States, Romania, Belarus and Taiwan.

Spain’s interior ministry identified the suspect as Ukrainian national “Denis K” and noted that he ran the operation with help from three Russian and Ukrainian nationals. The mastermind of the operation had been working from Spain, and he found his accomplices online, but they never met in person.

The gang targeted ATMs in Spain’s capital city of Madrid in the first quarter of 2017, stealing half a million euros.

Police seized computers, jewelry worth €500,000 ($620,000), documents, and two luxury vehicles following Denis K’s arrest. Bank accounts and two houses valued at roughly €1 million ($1.24 million) were also blocked.

The cybercrime group, tracked as Carbanak, Anunak and Cobalt, has been around since at least 2013 and its activities were first detailed in 2014. According to Spain’s interior ministry, investigations into the group started in 2015.

According to Europol, the cybercriminals started out by using a piece of malware they had dubbed Anunak. They later improved their malware, a version that the cybersecurity industry has dubbed Carbanak. Starting with 2016, they launched more sophisticated attacks using a custom version of the penetration testing tool Cobalt Strike. It’s worth noting that this is not the only cybercrime group known to use the Carbanak malware.

The hackers delivered their malware to bank employees using spear-phishing emails. Once the malware was deployed, it gave attackers access to the compromised organization’s internal network, including servers controlling ATMs.

The cybercriminals used their access to these servers to remotely instruct ATMs to dispense cash at a predetermined time, when the group’s mules would be nearby to collect the money. They also transferred funds from the targeted bank to their own accounts, and modified balances to allow members of the gang to withdraw large amounts of money at cash machines.

Authorities said the group worked with the Russian and Moldovan mafia, which were responsible for the money mules involved in the operation. The criminal proceeds were often laundered using bitcoins – the gang is said to have acquired 15,000 bitcoins, currently worth more than $118 million.

“It appears that the ultimate downfall was spurred on by what ends up bringing down most organized crime groups: accounting. This reinforces the need for law enforcement organizations to continue focusing on traditional ‘follow the money angles’ as much as cyber forensic capabilities. As long as you cannot make major purchases with cryptocurrencies, the Achilles heel of any organized crime activity will be laundering money and taxes,” commented Ross Rustici, senior director of intelligence services at Cybereason.

“Pinching these types of actors from both a prevention of movement in cyberspace and a reduced ability to enjoy their illicit gains often results in the largest successes for law enforcement,” Rustici added. “What remains to be seen is whether this arrest will result in a serious degradation of Carbanak’s capabilities or merely a short-term hindrance while the group refocuses its activity.”

Related: Four Arrested for ATM Skimming, Payment Card Fraud

Related: Estonia Arrests Alleged Russian Agent Plotting Cyber-Crime

Related: Ukraine Arrests ‘Avalanche’ Cybercrime Organizer

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...